Triage Squid Events

Security event triage rules determine which events require further follow up and which
events can be archived without further investigation. HCP processes many events every day so
effective triage helps analysts focus on the most important events.

The two components of security event triage are:

Determine if the event is an alert.

If the event is an alert, assign a score. If the event is not an alert, it is not
scored.

Improve Scoring with a Domain WhitelistOnce you have identified and investigated a potential typosquatted domain and found that it is legitimate, you can stop future alerts by using a domain whitelist enrichment.